Thursday, 18 July 2013

Oracle APEX - XSS in JavaScript column link URL

The more security conscious of you may have noticed, or may be interested to know, that there is a cross site
scripting vulnerability in the column link URL when using JavaScript. This is regularly flagged in our ApexSec security scanner. In this post we will use an application with JQuery's modal dialog to illustrate this common vulnerability and its simple solution. - Check out our previous post on how to have page access protection for pages inside modal windows.

This type of problem has been mitigated in APEX 4.2.2, if the URL field of your link column starts with 'javascript:', APEX will JavaScript escape the template variables before replacing them within the JavaScript block. This is a security upgrade intended to remove the risk of this type of Cross Site Scripting (XSS) attack.

This vulnerability is with the second parameter of
the modal window call (in this case the #ENAME# template variable). Modal dialogs are a common feature within any application and they allow you to give the dialog a dynamic title to enhance the User Experience (UX).

In our example, the title of the modal
window opened when the edit link in the report is clicked is
defined by the 'ENAME' column. So if you click to edit the employee named
'blake' then the title of the window is 'blake'. Here you can see the difference between
the JavaScript in the previous blog post and the Javascript necessary to have a
dynamic title in the modal window:

Comparison of the JavaScript used in our previous blog post and the JavaScript required for a dynamic title.

We have added a second
parameter called 'title' to our mymodal function. The title is no longer being
defined literally as “Some title” and is now defined by the parameter variable 'title'.

Now navigate to the URL
field in the link column section of the report attributes and use
the template variable #ENAME# to pass the value from the ENAME column
into the title parameter of the 'mymodal' function..

Whenever an edit link is clicked, the title of the modal window is set to the value of the “ENAME” column for that row in the report.

The
vulnerability occurs because the template variable is only HTML escaped. This leads to an injection attack within this function call. Because the template variable occurs within a JavaScript block you can pass any
text you like into the title, including JavaScript and you are
therefore vulnerable to a XSS attack;

If you are using a version of APEX less
than 4.2.2, your first course of action should be to ensure that the
URL field for your link column is not passing a potentially malicious
title to the modal window function. Our method of doing this is to
create a new column in the query for your report with the following
PL/SQL:

This JavaScript escapes the
values in the column “ENAME” and then names this new column
“ENAME_JS”. You can go ahead and make this column "HIDDEN" in order
to maintain a user friendly report. Now in the URL field for the
link column your second parameter should be changed from “ENAME”
to “ENAME_JS”. This ensures the values being passed into your
modal window function are JavaScript escaped.

In our next post we will discuss a known bug in the JQuery version that is shipped
with APEX 4.2.2, as it causes another cross site scripting
vulnerability in this example application that also must be fixed in order to fully erradicate the threat of XSS.